Ciscoís ASA 5500-X, ASA 5500, and PIX 500 firewalls provide integrated firewall, VPN, and intrusion prevention system (IPS) services in compact single-box packages, delivering a broad range of capabilities to meet the security needs of organizations ranging from small and mid-size businesses to enterprises and Internet service providers. Ciscoís ASA and PIX firewalls allow IT groups to protect their network perimeter and provide secure remote access while utilizing powerful management tools based on Cisco's industry-leading firewall technology.
Cisco's PIX and ASA 5500 firewalls have reached end-of-life (EOL) status but remain widely used by small and mid-size businesses as well as by many enterprise data centers. The ASA 5500-X Series Next-Generation Firewalls deliver significantly more bang for the buck and have superseded the ASA 5500 and PIX firewalls for new deployments. Still, Cisco's legacy firewalls, if properly managed, continue to deliver a high level of protection by supplying multiple security functions including firewall, VPN, and IPS.
Following Cisco's purchase of Sourcefire, the entire family of Cisco ASA 5500-X firewalls can be provisioned to support Firepower Services, built on Sourcefire's Snort technology, which is the world's most deployed network intrusion protection system. Firepower services bring enhanced features including advanced malware protection (AMP), URL filtering, dynamic threat analytics, and security automation.
Progent's Cisco certified network engineers can help you maintain and debug legacy PIX and ASA 5500 series firewalls and can also help you plan and implement a smooth migration to ASA 5500-X firewalls with Firepower Services. Progent can also help you plan, deploy, tune, manage and troubleshoot firewall solutions based on Cisco ASA 5500-X firewalls with Firepower Services.
Firepower Services for Cisco ASA 5500-X Firewalls
Cisco ASA 5500-X firewalls accept software or hardware modules that support Cisco's ASA Firepower Services, which offer multi-layer defense against sophisticated threats. Firepower Services are based on technology acquired by Cisco from Sourcefire. Key features of Firepower Services for ASA firewalls include:
- Layered defense against both familiar and zero-day threats
- Advanced Malware Protection (AMP) that utilizes big data to discover and mitigate security breaches
- Cisco's Next-Generation Intrusion Prevention System (NGIPS) that provides contextual analysis that covers clients, network infrastructure, apps, and content to detect attacks that incorporate multiple vectors
- Fine-grained Application Visibility and Control, or AVC, that is aware of thousands of applications and can automatically launch both standard and custom IPS policies based on the severity of risk
Firepower Services for Cisco ASA 5500-X firewalls offer advanced multi-layered security
Simpler deployments of ASA 5500-X firewalls can be efficiently managed via Cisco's on-box Adaptive Security Device Manager (ASDM), which is provided with all ASA 5500-X models. ASDM includes an easy-to-use web console that provides a convenient mechanism for deploying, managing, and debugging ASA 5500-X devices and service modules.
For multi-device and multi-site deployments, ASA 5500-X firewalls with Firepower Services can be managed with Firepower Management Center, available as one or more physical or virtual devices. Firepower Management Center provides centralized firewall management, visibility and control over applications, advanced IPS, URL filtering, and AMP. Due to frequent rebranding since Cisco's acquisition of Sourcefire Defense Center, Firepower Management Center has been delivered under various names including Defense Center, FireSIGHT Defense Center, and FireSIGHT Management Center.
Firepower Management Center provides features unavailable with the ASA 5500-X ASDM on-device manager. These include context awareness capabilities such as file trajectory, advanced malware protection (AMP) with mitigation for user devices, a console that offers real-time network visualization, automated policy tuning based on impact assessment of threats, comprehensive IPS, custom application detectors for AVC, customized health notifications, enhanced reporting features, and application interfaces for host input and database access. Hardware-dependent features like clustering, stacking, switching, routing, VPN, and NAT must be managed via Cisco's ASA 5500-X on-box ASDM and the ASA command line interface.
Cisco's ASA 5500-X Product Family
Cisco's extensive family of ASA 5500-X series firewalls includes an enhanced replacement for each rack-mountable model in the older ASA 5500 family of firewalls. Each ASA 5500-X device targets the same environment as the corresponding earlier models, which gives small offices and branch offices, midsize businesses, and large enterprises plenty of options in choosing a firewall that fits their performance requirements and budgets. All ASA 5500-X products build on Cisco's proven and widely deployed stateful-inspection firewall technology and all incorporate 64-bit hardware with multicore CPUs and are capable of running Cisco's advanced security services. All models in Cisco's ASA 5500-X family provide consistent security across any mix of physical, virtual, and cloud environments.
Cisco ASA 5506-X and ASA 5508-X Firewalls
Cisco's ASA 5506-X firewall is a value-priced desktop device for entry-level firewall applications. Cisco offers a Wi-Fi enabled model as well as a hardened version for rugged environments. The ASA 5506-X offers 300 Mbps of multiprotocol firewall throughput, 100 Mbps 3DEAS/AES VPN throughput, and 250 Mbps Application Visibility and Control (AVC) performance. The ASA 5506-X can handle 10 IPsec VPN peers (or 50 with a Cisco Security Plus license), 20,000 simultaneous sessions (or 50,000 with Security Plus), 5,000 new connections per second, and 5 VLANs (or 30 VLANs with Security Plus). The appliance comes with eight integrated 1 GE ports and does not have an expansion I/O slot.
Cisco's ASA 5508-X firewall is a value-priced 1RU firewall designed for smaller deployments. The ASA 5508-X supports up to 500 Mbps of multiprotocol throughput, 100 IPsec VPN peers, 175 Mbps 3DEAS/AES VPN performance, and AVC throughput of 450 Mbps. The ASA 5508-X can handle 100,000 concurrent sessions, 10,000 new connections per second, and up to 50 VLANs. The firewall includes eight integrated 1 GE ports and no slot for I/O expansion.
Cisco ASA 5512-X, ASA 5515-X and ASA 5516-X Firewalls
Cisco's ASA 5512-X firewall is designed for small offices or branch offices and is packaged in a 1RU rack-mountable form factor. The ASA 5512-X delivers multiprotocol firewall throughput of 500 Mbps, 3DEAS/AES VPN throughput of up to 200 Mbps, and Application Visibility and Control (AVC) throughput of 300 Mbps. The ASA 5512-X supports 250 IPsec site-to-site VPN peers, 100,000 concurrent sessions, 10,000 new connections per second, and up to 50 VLANs (or 100 VLANs with Cisco's Security Plus license). The device has six integrated 10/100/1000 Ethernet ports and has one expansion slot for six 10/100/1000 ports or six SFP GE ports.
Cisco's ASA 5515-X firewall is a high-performance 1RU firewall for small offices and branch offices. The ASA 5515-X supports 600 Mbps of firewall throughput, 250 Mbps 3DEAS/AES VPN throughput, and AVC throughput of 500 Mbps. In addition, the ASA 5515-X can handle 250 IPsec VPN peers, 250,000 concurrent sessions, 15,000 new connections per second, and up to 100 VLANs. The firewall includes six integrated 10/100/1000 Ethernet ports or six SFP GE ports and has a single expansion slot for six 10/100/1000 ports or six SFP GE ports.
Cisco's ASA 5516-X firewall is a 1RU device designed for deployments in small or mid-size organizations. The unit offers up to 900 Mbps of firewall throughput, 250 Mbps of 3DEAS/AES VPN throughput, and AVC performance of 850 Mbps. The ASA 5516-X supports 300 IPsec VPN peers, 250,000 simultaneous sessions, 20,000 new connections per second, and up to 100 VLANs. The ASA 5516-X incorporates eight built-in 1 GE ports and has no I/O expansion slot.
Cisco ASA 5525-X, ASA 5545-X and ASA 5555-X Firewalls
Cisco's ASA 5525-X firewall replaces the discontinued ASA 5520 firewall and offers midsize businesses next-generation security at the Internet Edge. The 1RU appliance offers 1 Gbps of multiprotocol firewall throughput, 300 Mbps 3DES/AES VPN throughput, and Application Visibility and Control throughput of 1.1 Gbps. The ASA 5525-X can handle 300 VPN IPsec peers, up to 500,000 concurrent sessions, 20,000 new connections per second, and as many as 200 VLANs. The device includes eight integrated 10/100/1000 ports and has an expansion slot that can support either six 10/100/1000 ports or six SFP GE ports.
Cisco's ASA 5545-X firewall is designed as an upgrade for the legacy ASA 5540 security appliance and delivers mid-range performance for edge security. The 1RU ASA 5545-X provides 1.5 Gbps firewall throughput, 400 Mbps 3DES/AES VPN performance, and 1.5 Gbps AVC performance. The ASA 5545-X can support 400 site-to-site VPN IPsec peers, 750,000 concurrent sessions, 30,000 new connections per second, and 300 VLANs. The ASA 5545-X has eight built-in 10/100/1000 Ethernet ports and includes an expansion slot for six additional 10/100/1000 ports or for six SFP GE ports.
The Cisco ASA 5555-X firewall is designed as an upgrade for Cisco's earlier ASA 5550, now at end-of-life, and provides midsize organizations with high throughput and advanced security at the Internet edge. The ASA 5555-X delivers 2 Gbps of firewall performance, 700 Mbps 3DES/AES VPN performance, and AVC throughput of 1.75 Gbps. The ASA 5555-X handles up to 700 VPN IPsec peers, 1,000,000 simultaneous sessions, 50,000 new connections per second, and up to 500 VLANs. Eight 10/100/1000 ports are integrated with the ASA 5555-X and an expansion slot allows you to add six 10/100/1000 ports or six SFP GE ports.
Cisco ASA 5585-X Firewalls
The top of the line of Cisco's ASA 5500-X firewall family is the ASA 5585-X, which is the only version with a 2RU dual-slot chassis. Intended as an upgrade for the discontinued ASA 5580 firewall, the ASA 5585-X is designed for enterprise data centers, ISPs, and other environments that need to deliver high performance and handle high traffic density.
The lower slot of the Cisco ASA 5585-X chassis is for the firewall/VPN Security Services Processor (SSP), and the upper slot is for the IPS SSP. Cisco offers four different SSPs and four IPS SSPs. Based on the SSP selected, the ASA 5585-X's multi-protocol firewall performance can be from 2 to 20 Gbps, 3DES/AES VPN throughput from 2 to 10 Gbps, and Application Visibility and Control from 4.5 Gbps to 15 Gbps. The ASA 5585-X can manage 5,000 to 10,000 VPN IPsec site-to-site peers, 500,000 to 4,000,000 simultaneous sessions, 40,000 to 160,000 new connections per second, and 1024 VLANs. Integrated I/O can be configured to support eight 10/100/1000 ports and 2x10 GE SFP+ ports or six 10/100/1000 ports and four 10 GE SFP+ ports. Expansion I/O options include eight 10 GE SFP/SFP+ ports, four 10 GE SFP/SFP+ ports, or twelve 1 GE SFP ports plus eight 10/100/1000 ports.
For more information about Progent's support for Cisco ASA 5500-X firewalls, Firepower Services, and Firepower Management Center, visit Cisco ASA 5500-X firewalls with Firepower Services consulting.
Cisco ASA 5500 Series Firewalls
Ciscoís ASA 5500 Series multi-function firewalls improve on the discontinued PIX 500 family they are designed to replace by introducing a modular hardware and software architecture for easy expansion and investment protection, offering optional Secure Sockets Layer (SSL) VPN support in addition to the standard IPsec VPN included with all models, and delivering substantially higher performance. Unlike the ASA 5500-X line of firewalls that replace them, ASA 5500 firewalls can not be upgraded to support Cisco's Firepower Services.
The expandable design of the ASA 5500 Series allows you to add services by installing security service modules (SSMs) and security service cards (SSCs). These user-installable enhancements give you the option of adding IPS and content protection services such as blocking viruses, spyware, and phishing attacks and performing file and URL filtering. In addition to allowing you to respond quickly to new threat environments, the expandable design of the ASA 5500 Series also protects your capital investment by increasing the useful life of your security appliances. The ASA 5500 Series also protects your investment in IT staff training by supporting the rich set of PIX 500 management tools and protocols including the Cisco Adaptive Security Device Manager (ASDM) system for web-based management, secure command-line interface (CLI) access, verbose syslog, and SNMP.
Cisco ASA 5500 firewalls provide enhanced application protection via application-aware inspection processes that analyze network flows at Layers 4-7 and covers web, voice, and mobile wireless connectivity. Cisco's inspection engines integrate extensive application and protocol databases and employ advanced security enforcement technologies such as anomaly detection and application and protocol state monitoring. Cisco ASA firewall inspection engines also let you control IM and peer-to-peer file sharing so you can police usage policies and free up bandwidth for key business applications.
Cisco ASA 5505 Firewalls
Cisco's ASA 5505 firewall is designed for small businesses, branch offices, and enterprise teleworkers. These devices offer maximum firewall throughput of 150 Mbps and can handle up to 25 SSL VPN sessions plus 10,000 connections in the Base version and up to 25,000 connections in the Security Plus version. The ASA 5505 includes 256 MB of memory and can support up to three VLANs with trunking disabled. GTP/GPRS inspection, VPN clustering, and load balancing are not available in this entry-level firewall. High availability support is an option with the Security Plus version.
The ASA 5505 has a single expansion slot for a Security Services Card (SSC) that supports Advanced Inspection and Prevention. Maximum IPS throughput with this card installed is 75 Mbps.
Cisco ASA 5510, 5520, and 5540 Firewalls
Cisco's ASA 5510 firewall is designed for small and mid-sized businesses and small enterprises. The ASA 5510 offers maximum firewall throughput of 300 Mbps and can handle up to 250 SSL VPN sessions. In the Base version, the ASA 5510 supports 50,000 connections in the Base version and up to 130,000 connections in the Security Plus version. The ASA 5510 includes 256 MB of memory and can support up to 50 VLANs in the base version and 100 VLANs with the Security Plus version. Load balancing, VPN clustering, and high availability support are available only in the Security Plus version.
Cisco's ASA 5520 security appliance is designed for small enterprises. The 5510 offers maximum firewall throughput of 450 Mbps and can handle up to 750 SSL VPN sessions and 280,000 connections. The ASA 5520 includes 512 MB of memory and can support up to 150 VLANs. GTP/GPRS inspection, VPN clustering, plus support for load balancing and high availability are included.
Cisco's ASA 5540 is made for medium-sized enterprises, offers maximum firewall throughput of 650 Mbps, and can handle up to 2,500 SSL VPN sessions along with 400,000 connections. The ASA 5540 includes 1 GB of memory and can support up to 200 VLANs. GTP/GPRS inspection, VPN clustering, load balancing, and high availability support are included.
Cisco ASA 5510, 5520, and 5540 firewalls can each accept a single Security Services Module (SSM) that can support Content Security and Control Security, Advanced Inspection and Prevention (AIP), or 4 Gigabit Ethernet security. Maximum IPS throughput, depending on the AIP Security Services Module used, can be up to 300 Mbps on the ASA 5510, 450 Mbps on the ASA 5520, and 650 Mbps on the ASA 5540.
Cisco ASA 5550 Firewalls
Cisco's ASA 5550 firewall is designed for large enterprises and delivers top firewall throughput of 1,200 Mbps. The ASA 5550 can handle up to 5,000 SSL VPN sessions and 650,000 connections. The Cisco ASA 5550 includes 4 GB of memory and supports up to 250 VLANs. GTP/GPRS inspection, VPN clustering, load balancing, and high availability support are included.
The ASA 5550 does not have expansion slots but has four integrated small form pluggable (SFP) fiber optic Ethernet ports.
Cisco ASA 5580 Firewalls
Cisco's ASA 5580-20 and 5580-40 firewalls are designed for large enterprise data centers. The ASA 5580-20 has firewall throughput of 5 Gbps, supports 1,000,000 connections, and has 8 GB of memory. The ASA 5580-40 has firewall throughput of 10 Gbps, supports 2,000,000 connections, and has 12 GB of memory. Both versions can handle up to 10,000 SSL VPN sessions and support up to 250 VLANs. Both models include GTP/GPRS inspection, VPN clustering, load balancing, and high availability support, and both have six slots for Interface Expansion Cards (IECs) that allow the addition of Ethernet ports.
To find out how Progent can help you maintain or upgrade your Cisco ASA 5500 firewalls, see Cisco ASA 5500 firewall consulting services.
Cisco PIX Security Appliance Series
Cisco's older generation PIX 500 Series firewalls established the standard for dedicated firewall appliances and were the mostly widely deployed firewall devices in the industry. The PIX 500 series has a purpose-built operating system that offers a wealth of security services, PIX firewalls offer a high level of protection and have earned Common Criteria Evaluation Assurance Level 4 status and ICSA Firewall and IPsec certification. PIX firewalls provide security for a wide range of VoIP and other mixed-media protocols including H.323 v. 4, Session Initiation Protocol (SIP), Cisco Skinny Client Control Protocol, Real-Time Streaming Protocol (RTSP), and MGCP. This enables businesses to provide security for a wide range of current and future IP voice and video applications. Because PIX firewalls are no longer sold and may not be supported by Cisco, IT managers should be thinking seriously about upgrading to the corresponding ASA 5500-X firewall. Progent can help with developing and implementing an upgrade strategy, and can also provide affordable online support to help companies manage and maintain legacy PIX firewalls.
PIX firewalls feature a variety of configuration, monitoring, and troubleshooting features, providing businesses the versatility to use the tools that best meet their needs. Management solutions include common, policy-based administration utilities, integrated Web-based administration, and compatibility with remote-monitoring protocols such as SNMP and syslog. The integrated ASDM interface provides a world-class web-accessible management solution that greatly simplifies the deployment, updating, and monitoring of individual PIX firewalls without requiring any extra software other than an ordinary browser and Java applet to be running on a manager's computer.
IT managers can also remotely configure, track, and troubleshoot PIX firewalls using a command-line interface. Secure command-line interface communication is available using a number of methods such as SSHv2 Protocol, Telnet through IP Security (IPsec), and out-of-band via a console port. Cisco PIX security appliances also have robust automatic-update capabilities, a collection of advanced secure remote-management services that ensure firewall settings and software images can be kept current.
For a description of Progent's technical support and migration services for Cisco PIX 500 firewalls, see Cisco PIX 500 firewall migration and support services.
Progent's PIX and ASA 5500 to ASA 5500-X Migration Support
Because Cisco has stopped offering the ASA 5500 and PIX product lines, many businesses are concerned about relying on a critical infrastructure component that may no longer be supported. ASA 5500-X firewalls have the advantage of being current products and also offer a number of technical and economic benefits in comparison to older ASA 5500 and PIX devices. These benefits include higher throughput, connection capacity and connection speed plus the ability to run Cisco's Firepower security services. Progent's Cisco experts can help you determine the business case for migrating from PIX or ASA 5500 firewalls to ASA 5500-X devices, create a migration plan that allows for a fast and seamless upgrade, help you deploy and configure new ASA 5500-X Series appliances, and provide remote training, consulting, and troubleshooting services.
How Progent Can Support Your Cisco ASA and PIX Firewalls
Cisco ASA 5500-X with Firepower Services, ASA 5500, and PIX 500 family firewalls incorporate a broad array of configuration, management, and expansion options that offer you the ability to set up these security appliances to match your company's specific requirements. Progent's CCIE authorized network engineers can help you to design and manage an efficient network infrastructure that includes Cisco ASA and/or PIX security appliances and that offers world-class security, availability, throughput, and manageability. Progent's GISA and CISSP-ISSP-qualified information security professionals can help you to create a security policy appropriate for your environment and can configure your security appliance to support your security policies. Progent's security evaluation consultants can assess the strength of your current firewall solution and validate the overall security of your entire IT environment. Progentís Technical Response Center can provide emergency online technical support for Cisco products and can give you quick access to a Cisco CCIE network engineer.
Progent offers a range of additional consulting services to help businesses of any size create a complete, company-wide security solution. Progent's project management services can help you define and implement an efficient plan to migrate from legacy Cisco appliances to the latest generation of devices. Progent's vulnerability testing and mitigation services for network devices and applications can help you validate the security and compliance of your IT environment. Progent's certified information security engineers can help you develop and test a comprehensive security strategy that addresses the complex data theft and privacy issues associated with cloud computing. Progent can help you use Cisco's AnyConnect to provide secure VPN connections for a broad range of platforms such as Windows, Mac, Linux, iOS, Android, Windows Phone and BlackBerry. Progent's BYOD consulting experts can help you manage smartphones and tablets by offering services that include iPhone and iPad integration, Android phone and tablet consulting, and RIM BlackBerry expertise. Progent's ProSight WAN Watch 24x7 remote network monitoring and reporting services provide proactive protection and for your information system. Progent's disaster recovery planning consultants can help you create and validate a DR/BC plan that is based on industry best practices. Progent's QTS Data Center Test Lab is available to prototype new firewall solutions and verify that they provide the performance and security your business requires.
For more details concerning Progent's consulting services for Cisco technology, select a topic:
Integration of Cisco and Third-party Security Technology
Progent offers expertise in firewall and VPN products from all major vendors and can help you integrate Cisco technology with additional security solutions to help you build a cost-effective network infrastructure that provides a level of security and flexibility appropriate for your business. Third-party firewall and VPN support services available from Progent include:
To ask Progent about consulting help with Cisco ASA and PIX firewalls, call 1-800-993-9400 or visit Contact Progent.